Device and method with reduced information leakage

ABSTRACT

Provides a data processing system comprising a processor and encrypted information in a first persistent memory whose level of information leakage is higher than that of a second persistent memory. The second persistent memory stores a cryptographic key for decrypting the encrypted information, generating therefrom unencrypted information that is usable by the processor for executing an operation. The cryptographic key may be used for encrypting the unencrypted information, generating the encrypted information. Also provided is a method of processing such a data-processing system with an operating system, comprising writing unencrypted information into the first persistent memory, encrypting the unencrypted information under use of the first cryptographic key, creating therefrom encrypted information in the first persistent memory, and setting the data-processing system to a state in which writing into the first persistent memory is controlled by the operating system.

CROSS REFERENCE AND PRIORITY

This application filed under 35 USC 371, is cross-referenced with, andclaims priority from, International Patent Application PCT/IB02/04620filed on Nov. 5, 2002, and published in English with Publication No.WO03/042799 on May 22, 2003, under PCT article 21(2), which in turnclaims priority of European Patent, filed on Nov. 14, 2001, ApplicationNo. 01811093.2.

The invention relates to a data-processing system, a method forprocessing the same, and a method for executing an operation on thesame. More particularly the invention relates to a smartcard, a methodof processing the smartcard under use of a cryptographic key, and amethod for executing an operation on the smartcard under use of thecryptographic key.

TECHNICAL FIELD AND BACKGROUND OF THE INVENTION

Cryptographic operations are used for a variety of processes such asdata encryption and authentication. In a typical symmetric cryptographicprocess, a secret key is known to two or more participants, who use itto secure their communications. In systems using asymmetric orpublic-key cryptography, one party typically performs operations using asecret key, e.g., the so-called private key, while the other performscomplementary operations using only non-secret parameters, e.g., theso-called public key. In both, symmetric and asymmetric, cryptosystems,the secret parameters must be kept confidential, since an attacker whocompromises a key can decrypt communications, forge signatures, performunauthorized transactions, impersonate users, or cause other problems.

Methods for securely managing cryptographic keys using physicallysecure, shielded rooms are known and are widely used. However, the knownmethods for protecting keys in cryptographic devices are ofteninadequate for many applications, such as those requiring a high degreeof tamper resistance.

Attacks such as reverse-engineering of a ROM using microscopes, timingattack cryptanalysis, as described for example by P. Kocher in “TimingAttacks on Implementations of Diffie-Hellman, RSA, DSS, and OtherSystems,” Advances in Cryptology—CRYPTO '96, Springer-Verlag, pages104-113, and error analysis as described for example by E. Biham and A.Shamir in “Differential Fault Analysis of Secret Key Cryptosystems,”Advances in Cryptology—CRYPTO '97, Springer-Verlag, 1997, pages 513-525,are known for analyzing cryptosystems.

Ciphers and algorithms believed to be cryptographically secure areknown. For example, protocols using triple DES. i.e. a cipherconstructed using three applications of the Data Encryption Standardusing different keys, can resist cryptanalytic attacks, provided thatattackers only have access to the standard inputs to and outputs fromthe protocol. However, even a product using an extremely strong ciphersuch as triple DES can be insecure if the keys are not managed securely.Smartcards commonly encode their internal data using a cryptographictechnique such as the Data Encryption Standard (DES). A detaileddescription of DES is presented by Bruce Schneier in AppliedCryptography, 2n' edition, ISBN 0 11709-91 1996, John Wiley & Sons, atpp. 265. The Federal Information Processing Standard (FIPS) descriptionof DES is contained in FIPS publication 46-3, available on the Internetat http://csrc.nist.gov/fips/.

DES is a block cipher method using a 64 bit key (of which only 56 bitsare actually used), which is very fast and has been widely adopted.Though DES can be cracked by a brute-force attack, i.e. simply testingall possible keys, triple DES is still considered very secure. For thepurposes of the examples described hereinafter, it is sufficient to knowthat the DES algorithm performs 16 rounds which effect lookups to eightseparate translation tables called S-boxes. Other similar cryptographictechniques are also known in the art, including. triple DES, IDEA, SEAL,and RC4; public key (asymmetric) encryption and decryption using RSA andE1 Gamal; digital signatures using DSA, E1 Gamal, and RSA; andDiffie-Hellman key agreement protocols. Despite the theoretical strengthand complexity of these cryptographic systems, power analysis techniqueshave been developed which allow these keys to be cracked much morequickly.

Information on DES and other cryptographic algorithms can also be foundin the Handbook of Applied Cryptography by Menezes et al. (CRC Press,Inc., 1997). The Data Encryption Standard (DES) is widely used as acryptographic primitive for data encryption, pseudo-random numbergeneration, MACs, and other cryptographic operations. The basic DESencryption algorithm uses a 56-bit key to transform a 64-bit plaintextblock into a 64-bit ciphertext block. The corresponding decryptionoperation uses the same key to transform ciphertext blocks into theircorresponding plaintexts.

To obtain a secret key from a cryptographic system, also referred to ascryptosystem, an attacker can exploit the fact that such a system leaksinformation. The attacker can try to gather data by observing a seriesof operations, perform statistical analysis on the observations, and usethe results to determine the key. In a common situation, an attackermonitors a physical property, such as power consumption, of a securetoken as it performs a cryptographic operation. The attacker collects asmall amount of data related to the key each time the token is observedperforming a cryptographic operation involving the key. The attackerincreases the amount of information known about the key by collectingand statistically correlating or combining data from multipleobservations of the token as it performs operations involving the key.In the case of a cryptosystem which is leaking information, suchobservations may contain signal information, i.e., informationcorrelated usefully to the key. However, such observations also containnoise, i.e., information and error that hinder or are irrelevant todetermination of the key. The quality of the information gained fromthese observations is characterized by a “signal to noise” or S/N ratio,which is a measure of the magnitude of the signal compared to the amountof noise. The number of operations that the attacker must analyze torecover the key depends on the measurement and analysis techniques, butis generally inversely proportional to the square of the S/N ratio. Theconstant of proportionality also depends upon the amount of confidencethe attacker requires. For example, a relatively low confidence levelmay be acceptable to an attacker willing to do an optimized brute forcesearch using statistical information about key bit values. Decreasingthe signal by a factor of 15 and increasing the amount of measurementnoise by a factor of 20 will reduce the signal-to-noise ratio by afactor of 300. This will generally mean that an attacker will requireroughly 90,000 times as many observations to extract the same amount ofinformation about the key. An attack requiring 1,000 observations torecover a key before the S/N reduction would now require on the order of90 million observations to gain the same level of confidence in therecovered key.

Examples of DPA being used to extract a DES key are presented by PaulKocher, Joshua Jaffe, and Benjamin June, 1998, “Introduction todifferential power analysis and related attacks”, available athttp://www.cryptography.com/dpa/technical; or by Thomas S. Messerges,Ezzy A. Dabbish, and Robert H. Sloan, 1999, in “Investigations of poweranalysis attacks on smart cards”, Usenix '99; seehttp://www.eecs.edu/-tmesserg/usenix99/html/paper.html; and also byLouis Goubin and Jacques Patarin, 1999, in “DES and differential poweranalysis: the “duplication” method”, Proceedings of CHES '99, SpringerLecture Notes in Computer Science, vol. 1717 (August 1999);http://www.cryptosoft.com/htmi/secpub.htm#goubin.

A principal objective is to make a cryptosystem that is difficult toattack successfully, for example by increasing the number ofobservations required by an attacker to compromise a key. By reducingthe available signal size and/or increasing the amount of error, noise,and uncertainty in attackers' measurements, a system designer can makethe so-called work function. i.e. the effort required to break a system,larger. Ideally, the number of samples required to gain any significantamount of useful key information should exceed the maximum number oftransactions that can be performed using the key, exceed the number oftransactions that can be performed by the device, e.g., before the keyexpires, or else be so large that monitoring attacks are of comparableor greater difficulty than brute force and other known attacks. Forexample, if attackers are limited to measurements with a signal-to-noiseratio across an entire transaction well below 1/1000 in a systemprogrammed to self-destruct after one million operations, which is wellbeyond the expected operational life of most smartcards, the attackerwould be unable to collect enough measurements to compromise the device.For physically large systems, effective physical shielding, physicalisolation, and careful filtering of inputs and outputs can protectcryptographic devices from external monitoring attacks that involveanalyzing power consumption, electromagnetic radiation, electricalactivity within the device, etc. as well as protecting against physicalattacks. However, these techniques are difficult to apply in constrainedengineering environments. For example, physical constraints such as sizeand weight, cost requirements, and the need to conserve power canprevent the use of the known shielding techniques.

Keeping electronic information hidden from hostile parties is desirablein many environments, whether personal, business, government, ormilitary. “Sealed platforms”, which are special kinds of electronichardware devices, have been developed to satisfy this need. The term“platform” generally refers to a hardware/software environment capableof supporting computation including the execution of software programs.A “sealed” platform refers to a platform purposely built to frustratereverse-engineering.

In contrast to traditional credit and debit cards which store a smallamount of information on a magnetic strip, the sealed platforms such assmartcards, may store and process a significantly larger quantity ofdata using microprocessors, random access memory (RAM), and read onlymemory (ROM). The sealed platforms are typically secured usingcryptographic technology which is intended to maintain and manipulatesecret parameters in open environments without revealing their values.Compromise of a secret key used to compute a digital signature could,for example, allow an attacker to forge the owner's digital signatureand execute fraudulent transactions.

A sealed platform is intended to perform its function while protectinginformation and algorithms, such as performing digital signatures aspart of a challenge-response protocol, authenticating commands orrequests, and encrypting or decrypting arbitrary data. A smartcard usedin a stored value system may, for example, digitally sign or computeparameters such as the smart card's serial number, balance, expirationdate, transaction counter, currency, and transaction amount as part of avalue transfer.

Power analysis is the process of gathering information about the dataand algorithms embodied on a platform by means of the “power signature”of the platform. The “power signature” of a platform is its powerconsumption profile measured over time, while executing the softwarestored on that platform. The power consumed by a microprocessor,micro-controller or similar electronic device changes with the state ofthe electronic components in the device. Such devices generallyrepresent data in terms of binary 1s and 0s, which are represented inthe electronic devices as corresponding high or low voltage levels. Forexample, a value of 1 may be represented by +5 volts and a value of 0 by0 volts.

Hence, the amount of power that a sealed platform consumes may becorrelated with the number of binary 1s in a data word, at a givenmoment in time. It follows that the amount of current drawn by, and theelectromagnetic radiation emanated from a sealed platform, may becorrelated to the secrets being manipulated within it. Such signals canbe measured and analyzed by attackers to recover secret keys. Statetransitions are also a major influence on the power consumption of adevice performing a computation. As the value of a bit changes,transistor switches associated with that bit change state. Therefore,there is an increase in the amount of power consumed when the system isin transition. Attackers can non-invasively extract secret keys usingexternal measurement and analysis of a device's power consumption,electromagnetic radiation, or processor cycle timing during performanceof cryptographic operations. The current and voltage being supplied tothe smartcard may be monitored while it is executing.

In simple power analysis (SPA), the power signature for the execution ofa given algorithm is used to determine information about the algorithmand its data. Generally, power data is gathered from many executions andaveraged at each point in time in the profile.

For example, if SPA is used to attack a DES key space, and the attackerhas access to the specific code, but not the particular DES key, aparticular series of points in the power signature may indicate thenumber of 1 and 0s in each 8-bit byte of the DES key. This reduces thespace of possible keys for an exhaustive all-possible-keys attack from2⁵⁶ possible keys to 2³⁸ possible keys, if parity bits are stored foreach byte of the key, making search time among possible keys about 2¹⁸times shorter.

Differential power analysis (DPA) is a form of power analysis in whichinformation is extracted by means of gathering multiple power signaturesand analyzing the differences between them. For certain kinds of dataand algorithms, exhibiting repetitious behavior, it is anextraordinarily effective method for penetrating secrets stored onsealed platforms. It can reveal information about the data resultingfrom computations, fetches from memory stores to memory, the dataaddresses in the memory of the sealed platform from which data arefetched or to which data are stored during execution, and the codeaddresses from which instructions are fetched during the execution ofalgorithms on the sealed-platform. These capabilities render protectionof sealed platforms against DPA attack both very important to securityand very difficult to achieve on inexpensive sealed platforms. While SPAattacks use primarily visual inspection to identify relevant powerfluctuations, DPA attacks use statistical analysis and error correctiontechniques to extract information correlated to secret keys. Hence, DPAis a much more powerful attack than SPA, and is much more difficult toprevent. One use for DPA is to extract cryptographic keys forencryptions or decryptions performed on a sealed platform. For the DataEncryption Standard (DES), DPA has proved extremely effective; low-costsmart cards performing DES have proven, in recent experience, to behighly vulnerable to DPA. Any form of encryption or decryption which issimilar to DES would necessarily have similar vulnerabilities whenincarnated on low-cost smart cards or similar sealed platforms.

Implementation of a DPA attack to find a DES key involves two phases,namely data collection followed by data analysis. Data collection forDPA may be performed by sampling a device's power consumption duringcryptographic operations as a function of time or number of clockcycles. For DPA, a number of cryptographic operations using the targetkey are observed. To perform such an attack on a smart card, oneprocesses a large number (a thousand or more) DES encryptions (ordecryptions) on distinct plaintexts (or ciphertexts), recording thepower profile, the input, chosen at random by the attacker; and theoutput, computed by the smartcard as the encrypted of decrypted valuewith the hidden key for each.

Each power profile is referred to as a sample. In each round of DES, theoutput of a given S-box is dependent on both the data to be encrypted(or decrypted) and the key. Since the attacker knows the input text, heguesses what the value of the key is, that was used to generate aparticular power signature sample, so he can determine whether aparticular output bit of a given S-box is 1 or 0 for the particular dataused in the sample. Each standard S-box has a 6-bit input and a 4-bitoutput. Typically, this analysis begins in round 1 or 16 since those arethe ones where the attacker knows either the exact inputs (for round 1)or outputs (for round 16) for the respective S-box. The attacker doesnot know the key, but because the DES algorithm only performs one S-boxlookup at a time, it is only necessary to guess the six bits of thesecret key that are relevant to the S-box being observed andcorresponding to the power consumption at that time. As only 6-bits arerelevant, it is only necessary to test 2⁶=64 possible sequences ofvalues for a given 6-bit portion of the 56-bit secret key. For eachguess of the values of these six bits, one divides the samples into twogroups: those in which the targeted output bit, that is, one of the fouroutput bits from a targeted S-box which is chosen as a target in thefirst round of the attack, is a 1 if the attacker's guess of the six keybits is correct (the 1-group), and those in which it is a 0 if theattacker's guess of the six key bits is correct (the 0-group). The powersamples in each group are then averaged. On average, modulo minorasymmetries in DES, those portions of the averaged power profiles whichare affected only by bits other than the particular output bit mentionedabove, should be similar, since on average, in both groups, they shouldbe 1 for about half of the samples in each group, and 0 for about halfof the samples in each group. However, those portions of the averagedpower profiles which are affected by the above-mentioned output bitshould show a distinct difference between the 1-group and the 0-group.The presence of such a difference, or multiple such differences,indicates that the guessed value of the six key bits was correct. Itsabsence, or the absence of such differences, shows that the guessedvalue of the six key bits was incorrect. This process of guessing at thevalue of the secret key, dividing the power signature samples into thosewhich will yield a 1-output and those which will yield a 0-output (the1-group and 0-group respectively), averaging the profiles, and seekingthe above-mentioned distinct difference, is repeated until a guess isshown to be correct. One then has six bits of the key. The aboveguessing procedure is repeated for the other seven S-boxes. When allS-boxes have been treated in this way, one has obtained 48 out of the 56key bits, leaving only eight bits undetermined. This means one need onlysearch a remaining key space of 2⁸=256 possible keys to find the balanceof the correct secret key. It becomes apparent how little informationthe attacker needs to employ such an attack. The attacker does not haveto know the specific code used to implement DES, the memory layout usedfor storing the S-boxes, where in the power profile the distinctdifference or difference, if any, is expected to appear for a correctguess; how many such distinct differences are expected to appear in thepower profile for a correct guess; or whether the chosen S-box outputbits are normal or complemented as flipping 1s and 0s will produce thesame kind of distinct difference. DPA is only dependent on whether sucha difference exists, not in the sign, i.e. + or −, of any givendifference.

All an attacker really needs to know in order to mount a successfulattack is that it is DES which is being attacked, and that theimplementation of DES, at some point, employs a bit which corresponds toa specific output of the S-box, in such away that its use will affectthe power profile samples. The paucity of knowledge required to make asuccessful DPA attack which completely cracks a hidden DES key on asealed platform clearly shows that DPA is a very effective means ofpenetrating a sealed platform. Only one specific form of DPA attack isdescribed herein, but there are many related forms of DPA attacks whichare also possible.

While the effects of a single transistor switching would be normallyimpossible to identify from direct observations of a device's powerconsumption, the statistical operations used in DPA are able to reliablyidentify extraordinarily small differences in power consumption.

Physical measures to protect sealed platforms against attack are knownto include enclosing systems in physically durable enclosures, physicalshielding of memory cells and data lines, physical isolation, andcoating integrated circuits with special coatings that destroy the chipwhen removed. While such techniques may offer a degree of protectionagainst physical damage and reverse engineering, these techniques do notprotect against non-invasive power analysis methods. Some devices, suchas those shielded to United States Government Tempest specifications,use large capacitors and other power regulation systems to minimizevariations in power consumption, enclosing devices in shielded cases toprevent electromagnetic radiation, and buffering inputs and outputs tohinder external monitoring. These techniques are often expensive orphysically cumbersome, and are therefore inappropriate for manyapplications, for smartcards, secure microprocessors, and other small,low-cost, devices. Physical protection is generally inapplicable orinsufficient due to reliance on external power sources, the physicalimpracticality of shielding, cost, and other characteristics imposed bya sealed platform's physical constraints such as size and weight.

In contrast to physical protection, smartcards may also be protectedfrom a power analysis attack to an extent, at the software level, byrepresenting data in a “Hamming-neutral” form. The Hamming weight of abit string, such as a data word or byte, is the quantity of bits in thebit string with a value of 1. For example, 10100 will have a Hammingweight of 2, and 1111 will have a Hamming weight of 4. A set of “Hammingneutral” bit-strings is a set of bit-strings that all have the samenumber of 1s, for example, the set {011, 101, 110} is a Hamming-neutralset. If all of the data bytes manipulated by a software application havethe same number of 1s, the power consumed by the device and the noise itemits will not vary as the device processes this data. For example, onecould encode a bit string by replacing each “1” with a “10”, and each“0” with a “01”. All bit-strings would then have an equal number of 1sand 0s, and there would be no detectable power or noise variationbetween any pair of bit-strings.

This technique is known in the art of electrical signaling and hardwaredesign, where it is referred to as power-balanced or differentialsignaling. The benefits of such circuits include. reduction in noiseemissions or induction of cross-talk in other circuits; reduction inground bounce; because power requirements are constant, the voltage ofthe ground bus does not rise locally when a circuit switches from low tohigh; and independence from environmental noise; as both electricallines in a differential pair are influenced by essentially the samelevel of environmental noise, there is theoretically no net differencedetected at the receiving end. These techniques are commonly used inmilitary, super-computer and industrial control applications.

Since a normal, unsealed platform is susceptible to attacks potentiallymore powerful than power analysis (PA), the use of PA in discovery ofsecret information is primarily directed towards sealed platforms, suchas smartcards. However, a simulated power profile of execution can begenerated on a simulator for any processor, so it is possible to analyzealgorithms for execution on ordinary, unsealed platforms using PA.Hence, although the most urgent need for PA resistance is for use onsealed platforms, such as smartcards, PA resistance is applicable to amuch wider variety of platforms. Improved security is therefore usefulfor such devices to be securely used in a broad range of applications inaddition to traditional retail commerce, including parking meters,cellular and pay telephones, pay television, banking, Internet-basedelectronic commerce, storage of medical records, identification andsecurity access. There is therefore a need for a method, apparatus andsystem to reduce the amount of useful information leaked to attackerswithout resulting in excessive overheads. Reducing leakage refersgenerally to reducing the leakage of any information that is potentiallyuseful to an attacker trying to determine secret information.

In WO 01/61915 the vulnerability of a system is reduced by introducing arandomness to the observable operation, thereby frustrating thecorrelation if output power emissions with any meaningful internalprocessing.

In U.S. Pat. No. 6,278,783 methods and apparatus are described forimproving DES and other cryptographic protocols against externalmonitoring attacks by reducing the amount and signal-to-noise ratio ofuseful information leaked during processing. An improved DESimplementation of the invention instead uses two 56-bit keys (K1 and K2)and two 64-bit plaintext messages (M1 and M2), each associated with apermutation (i.e., K1P, K2P and M1P, M2P) such that K1P {K1} XOR K2P{K2} equals the “standard” DES key K, and M1P {M1} XOR M2P {M2} equalsthe “standard” message. During operation of the device, the tables arepreferably periodically updated, by introducing fresh entropy into thetables faster than information leaks out, so that attackers will not beable to obtain the table contents by analysis of measurements. Thetechnique is implementable in cryptographic smartcards, tamper resistantchips, and secure processing systems of all kinds.

WO 01/08012 describes an apparatus and a method for preventinginformation leakage attacks on a microelectronic assembly performing acryptographic algorithm by transforming a first function, used by thecryptographic algorithm, into a second function, the method includingthe steps of receiving a masked input data having n number of bits thatis masked with an input mask, wherein n is a first predeterminedinteger; processing the masked input data using a second function basedon a predetermined masking scheme; producing a masked output data havingm number of bits that is masked with an output mask, wherein m is asecond predetermined integer.

In WO 00/02342 methods and apparatus for increasing the leak-resistanceof cryptographic systems using an indexed key update technique aredisclosed. In one embodiment, a cryptographic client device maintains asecret key value as part of its state. The client can update its secretvalue at any time, for example before each transaction, using an updateprocess that makes partial information that might have previously leakedto attackers about the secret no longer usefully describe the newupdated secret value. By repeatedly applying the update process,information leaking during cryptographic operations that is collected byattackers rapidly becomes obsolete. Thus, such a system can remainsecure against attacks involving analysis of measurements of thedevice's power consumption, electromagnetic characteristics, or otherinformation leaked during transactions. The present invention can beused in connection with a client and server using such a protocol. Toperform a transaction with the client, the server obtains the client'scurrent transaction counter. The server then performs a series ofoperations to determine the sequence of transformations needed tore-derive the correct session key from the client's initial secretvalue. These transformations are performed, and the result is used as atransaction session key.

WO 99/67909 proposes a leak minimization for smartcards and othercryptosystems using a reduction of the amount of useful informationleaked during processing. This is accomplished by implementing criticaloperations using “branchless” or fixed execution path routines wherebythe execution path does not vary in any manner that can reveal newinformation about the secret key during subsequent operations. Moreparticularly, various embodiments of the invention include: implementingmodular exponentiation without key-dependent conditional jumps;implementing modular exponentiation with fixed memory access patterns;implementing modular multiplication without using leak-pronemultiplication-by-one operations; and implementing leak-minimizingmultiplication and other operations for elliptic curve cryptosystems.

In WO 99/67766 methods and apparatus are disclosed for performingcomputations in which the representation of data, the number of systemstate transitions at each computational step, and the Hamming weights ofall operands are independent of computation inputs, intermediate values,or results. Exemplary embodiments implemented using conventional leakyhardware elements such as electronic components, logic gates, etc. aswell as software executing on conventional leaky microprocessors aredescribed. Smartcards and other tamper-resistant devices of theinvention provide improved resistance to cryptographic attacks involvingexternal monitoring.

In WO 99/63696 methods and apparatus are disclosed for securingcryptosystems against external monitoring attacks by reducing the amountand signal to noise ratio of useful information leaked duringprocessing. This is generally accomplished by incorporatingunpredictable information into the cryptographic processing. Variousembodiments of the invention use techniques such as reduction of signalto noise ratios, random noise generation, clock skipping, andintroducing entropy into the order of processing operations or theexecution path. The techniques may be implemented in hardware orsoftware, may use a combination of digital and analog techniques, andmay be deployed in a variety of cryptographic devices.

OBJECT AND ADVANTAGES OF THE INVENTION

According to a first aspect of the invention as set forth in claims 1and 2, a data-processing system is proposed that comprises acryptographic key stored in a memory that has a lower level ofinformation leakage than another memory. The use of this key brings inthe advantage that the information that is encrypted under use of thiskey is protected thereby from external attacks, in particulardifferential power analysis. The key itself is less prone to suchattacks due to the higher level of attack immunity through lessinformation leakage. A typical data-processing system would be amachine-readable medium such, more particularly a sealed platform like achipcard, also referred to as smartcard, i.e. a machine-readable devicethat comprises its own processor and memory. In particular, as thedata-processing system a cryptographic device or system can be used.

If the first unencrypted information comprises a second cryptographickey usable for decrypting second encrypted information for theoperation, a two-stage encryption process is used which advantageouslycombines local security through the second cryptographic key, with aglobal security through the first cryptographic key. The secondcryptographic key is typically a personal key, unique to thedata-processing system or its user. The first cryptographic key istypically a key not unique to the data-processing system or its user butunknown to external entities. A person knowing the first cryptographickey can not access the secret information protected by the secondcryptographic key without using DPA, and a person knowing the secondcryptographic key can nevertheless not find out the first cryptographickey in order to use that information for accessing secret information onother machine-readable media.

If the data-processing system comprises stored code for executing apersonalization step, the personalizing entity only need execute thatstep via the data-processing system in order to achieve the personalizedstate, including the use of the first cryptographic key. Thereby the useof that key can be transparent, i.e. not visible, to the personalizingentity.

If the data-processing system comprises stored code for executing anoperation execution step, that step can include the decryption step toreveal the information that was previously encrypted with the firstcryptographic key. Thereby also the decryption step is executedtransparently to the outside world, including personalizing entity andthe user of the data-processing system.

A typical example for the data-processing system would be a smartcard.

According to a second aspect of the invention as set forth in claim 6, amethod of processing such a data-processing system is proposed. Theprocessing can be interpreted as a personalization step in which thedata-processing system is turned from a non-customized product into acustomized product by enhancing it with specific information, unique tothat data-processing system.

The personalization step can be performed by writing the unencryptedinformation to its target memory location, e.g. the EEPROM, afterwardsscanning the EEPROM for any such information and executing theencryption on it. That sensitive information in the EEPROM is encryptedand thereby protected. A typical example for that sensitive informationare cryptographic keys. Those can comprise personal keys or other keys.In object- or type-based programming languages, no change to the APIs,or the applications making use of such keys are required.

No production and testing procedures need to be changed as the completeprocedures as established need not be changed; only at the end oftesting and production, the keys are encrypted, again transparently toany further on-card or off-card software or hardware. The firstcryptographic key does not have to be known to the personalizationagency.

According to a third aspect of the invention as set forth in claim 7, amethod of executing an operation on such a data-processing system isproposed. That method comprises a decryption step before the actualexecution of the operation. That decryption step is executed on theencrypted information that has been loaded from the first persistentmemory to a less-leaking memory. The decryption step is hence executedin an environment which is less-leaking and hence less prone to poweranalysis attack. The decryption step itself remains unnoticed by theexternal user and merely effects a longer, although not significantlylonger, execution time for that operation.

According to a third aspect of the invention as set forth in claim 8, acomputer program product comprising program code means for performing amethod as described above is proposed. The computer program product canbe in its simplest form a storage medium loaded with the program code.The storage medium advantageously could be integrated into thedata-processing system.

SUMMARY OF THE INVENTION

Smartcard memory, including EEPROM, leaks information about itscontents, when those contents are accessed for reading storedinformation. One way for an attacking entity to make use of that leakageis by means of differential power analysis (DPA), when read-operationsare monitored by means of chip-power consumption, and the actual EEPROMcontents are derived. If such EEPROM content is a secret key guarding anelectronic transaction for example, the security of the whole electronictransaction system is in peril.

The invention is directed to a data-processing system comprising aprocessor and first encrypted information in a first persistent memorywhose level of information leakage is higher than that of a secondpersistent memory. In the second persistent memory is stored a firstcryptographic key for decrypting the first encrypted information,thereby generating therefrom first unencrypted information that isusable by the processor for executing an operation.

The invention is also directed to a data-processing system comprising aprocessor and first encrypted information in a first persistent memorywhose level of information leakage is higher than that of a secondpersistent memory. In the second persistent memory is stored a firstcryptographic key The first cryptographic key may be used for decryptingthe first encrypted information, thereby generating the firstunencrypted information.

Also a combination of the two cases is possible, i.e. the same firstcryptographic key can be used for the encryption and decryption of thefirst information.

The invention is also directed to a method of processing such adata-processing system that has an operating system, the methodcomprising a writing step for writing first unencrypted information intothe first persistent memory, an encryption step for encrypting the firstunencrypted information under use of the first cryptographic key,creating therefrom first encrypted information in the first persistentmemory, and an access-limitation step for setting the data-processingsystem to a state in which writing into the first persistent memory iscontrolled by the operating system.

The invention is also directed to a method of executing an operation onsuch a data-processing system, the method comprising a decryption stepfor decrypting the first encrypted information under use of the firstcryptographic key, thereby generating therefrom first unencryptedinformation and an execution step for executing an operation by theprocessor, using the first unencrypted information. The invention isalso directed to a computer program product comprising program codemeans for performing such method or methods.

The invention is applicable to any object- or type-based programminglanguage running on any data-processing system running that storessensitive information in a data storage medium that is susceptible toexternal probing. An example would be the JavaCard runtime environment.

By tracking sensitive information within the first persistent memory andprotecting it by means of a first cryptographic key that is used toencrypt the sensitive information when stored in the persistent memory,the sensitive information is protected from being analyzed through DPA.The first cryptographic key is again used to decrypt the sensitiveinformation when the sensitive information is read from the persistentmemory for actual use. An example for the sensitive information is asecond cryptographic key. The sensitive information stored in thepersistent memory of a probing-attack-prone storage technology operatingon object- or type-based programming language, such as an EEPROM in asmartcard, is hence better protected against fraudulent probing e.g. bydifferential power attacks.

DESCRIPTION OF THE DRAWINGS

Examples of the invention are depicted in the drawing and described indetail below by way of example. It is shown in

FIG. 1 a schematic block diagram of a smartcard with its components.

The FIGURE is for sake of clarity and not shown in real dimensions, norare the relations between the dimensions shown in a realistic scale.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

In the following, the various exemplary embodiments of the invention aredescribed.

A smartcard typically embeds an electronic chip in a plastic card. Theelectronic chip may include, for example, a microprocessor or similardevice, read-only memory (ROM), and/or read-write random access memory(RAM). The electronic-chip may also include other electronic componentssuch as digital signal processors (DSPs), field-programmable gate arrays(FPGAs), electrically-erasable programmable read-only memory (EEPROM)and miscellaneous support logic. Generally, the electronic chip is gluedinto a recessed area of a plastic card and is covered by a printedcircuit which provides the electrical interface to an external smartcardreader. The standard configuration of the input and output pads of theprinted circuit generally includes power (VCC), ground (GND), a clockinput (CLK) and a serial input/output pad (I/O). Several additionalunconnected pads (N/C) are also included in the standard configuration.Because the plastic card is somewhat flexible, the electronic chipshould be small enough to avoid breaking. This limits the physical sizeof the electronic chip to a few millimeters across, and also limits thenumber of electronic components that can be supported. Contactlesssmartcards are also in use, which communicate with an external smartcardreader using radio frequencies or other wireless communication media.Such smartcards are generally equipped with an internal antenna, ratherthan the input and output pads of the printed circuit.

In FIG. 1 a data-processing system 10, which here is a smartcard, isdepicted that comprises an EEPROM 20, also referred to as firstpersistent memory, a second persistent memory 40, also referred to asROM, and a volatile memory 30, also referred to as RAM. These threememories 20, 30, 40 are connected to a processor 50 which is againconnected to a DES co-processor 55. The smartcard 10 further comprises aconnector field 60 for connection to an external device. In the ROM 40are located an operating system 41 and a first cryptographic key, alsoreferred to as cryptographic master key 45. In the EEPROM 20 a secondcryptographic key 21 and an third cryptographic key 22 are stored. Inthe RAM 30 second encrypted information 33 is stored. The co-processor55 can perform any type of cryptographic operation, here DES is selectedfor exemplary purposes.

For sake of better understanding, first a process without use of thecryptographic master key 45 is explained. The second cryptographic key21 and third cryptographic key 22 are in such a case present in theEEPROM 20 in a non-encrypted form and are present for being used in anencryption process respectively decryption process performed by the DESco-processor 55 in assistance to the processor 50. If during theexecution of an application the processor 50 is instructed to perform anoperation that needs to make use of one or more of the cryptographickeys 21, 22, the DES co-processor 55 is activated. It is assumed forthis example, that the second cryptographic key 21 is here needed toperform a decryption. The processor 50 accesses the EEPROM 20 toretrieve therefrom the second cryptographic key 21. The secondcryptographic key 21 is loaded from the EEPROM 20 via the processor 50to the RAM 30. The DES co-processor 55 retrieves the secondcryptographic key 21 from the RAM 30 via the processor 50 and retrievesvia the processor 50 also the data that is to be decrypted under use ofthe cryptographic key 21, from one of the memories 20, 30, 40. Here thatdata comprises the second encrypted information 33. Then the DESco-processor 55 performs the decryption and delivers the decrypted datato the processor 50.

A malicious user could perform a DPA attack on that operation, inparticular, sniffing on the leakage of the signal between the EEPROM 20and the processor 50 by using a suitable leakage-detecting probe incombination with corresponding software.

In order to make such a DPA attack harder, the cryptographic master key45 is used in accordance with the invention. The cryptographic keys 21,22 reside in the EEPROM 20 in an encrypted form, namely having beenpreviously encrypted under use of the cryptographic master key 45. Theyare hence present as first encrypted information. The correspondingencryption process shall be explained further below, but first thedecryption shall be addressed here. An operation is assumed that needsthe second cryptographic key 21. That operation is executed by theprocessor 50 in an operation execution step. Since the secondcryptographic key 21 resides in the EEPROM 20 in encrypted form, theoperation execution step comprises a decryption step to enable access tothe second cryptographic key 21 in a decrypted form and to therebyenable use of it. Therefor the processor 50 not only retrieves theencrypted second cryptographic key 21 from the EEPROM 20 but alsoinitiates the execution of a decryption step of the encrypted secondcryptographic key 21.

The encrypted second cryptographic key 21 is loaded from the EEPROM 20via the processor 50 to the RAM 30. The cryptographic master key 45 isloaded from the ROM 40 via the processor 50 to the RAM 30. The DESco-processor 55 retrieves the cryptographic master key 45 from the RAM30 via the processor 50 and retrieves via the processor 50 also theencrypted second cryptographic key 21 that is to be decrypted under useof the cryptographic master key 45, from the RAM 30. Then theco-processor 55 performs the decryption step on the encrypted secondcryptographic key 21 and delivers the resulting decrypted secondcryptographic key 21 to the RAM 30.

Next follows the execution step of the operation execution step. Theco-processor 55 retrieves the decrypted second cryptographic key 21 fromthe RAM 30 via the processor 50 and retrieves via the processor 50 alsothe data 33 that is to be decrypted under use of the decrypted secondcryptographic key 21, from the RAM 30. Then the co-processor 55 performsthe decryption and delivers the decrypted data to the processor 50. Thisis hence a series of decryption processes. The advantage is that theoperation of retrieving the second cryptographic key 21 from the EEPROM20 is less prone to a DPA attack, since the information that istransferred from the EEPROM 20 and that suffers from the informationleakage of the EEPROM 20, namely the second cryptographic key 21, istransferred in encrypted form. Since the leakage of the ROM 40 and theRAM 30 is lower than the leakage of the EEPROM 20, the susceptibility ofthe overall system to DPA attacks is reduced.

In the following, the process of personalizing the smartcard 10 will bedescribed. The smartcard 10 is manufactured by a smartcard manufacturerto comprise the plastic carrier with the embedded chip. The chip alreadycontains the pre-stored cryptographic master key 45 in the ROM 40. Thereceiving entity, which typically is a smartcard-issuing entity, thenprocesses the card in a personalization step, i.e. prepares thissmartcard 10 for future use by a specific person. Therefore thesmartcard issuer equips the smartcard 10 with personal information,namely here the cryptographic keys 21, 22 which are first written intothe EEPROM 20. This writing step is performed in a secure environment,i.e. an environment that does not allow accessing the sensitive personalinformation. The smartcard issuer himself is a trusted party in that itmay be assumed that it does not perform an attack on the system by usingthe cryptographic keys 21, 22 or even the cryptographic master key 45.

The smartcard 10 arrives at the smartcard issuer with the operatingsystem 41 pre-stored. In that operating system 41 a personalization stepis contained in a programmed form, which step is initiated by thesmartcard issuer after writing the personal information 21, 22 to theEEPROM 20. The personalization step encompasses two substeps, anencryption step and an access-limitation step.

The personalization step starts by performing the encryption step thatencrypts the first unencrypted information, i.e. the cryptographic keys21, 22. Therefor the EEPROM 20 is scanned for all information that is tobe encrypted under use of the cryptographic master key 45. Thisinformation here comprises the cryptographic keys 21, 22. Thecryptographic keys 21, 22 can be recognized in a scanning step by thescanning algorithm and once these have been located, they are encryptedand written as encrypted cryptographic keys 21, 22 back into the EEPROM20. The smartcard issuer himself does for the encryption step not needto know the cryptographic master key 45 and in fact does not even needto know that there is a cryptographic master key 45 at all. Theencryption step can be executed without the smartcard issuer knowingabout it.

In order for the scanning step to recognize the cryptographic keys,these should advantageously be tagged, i.e., discernible as such. Thisis certainly the case for the smartcard being a JavaCard, since Java isan object-based system, in which all sensitive information is tagged bya Java class named “Key”.

After the encryption step, the access-limitation step effects that thesmartcard 10 is set to a state in which the writing into the EEPROM 20is limited, namely limited by the access control through the operatingsystem 41. That limitation ensures that writing is no longer allowedinto certain areas of the smartcard 10 amongst which is the area inwhich the encrypted cryptographic keys 21, 22 are located. Thereby alater modification in that forbidden area, including fraudulousattempts, is excluded. After completion of the personalization step, thesmartcard is in the so-called personalized state. The smartcard 10 isissued to the end-customer or user in this state.

In operation of the smartcard, as already described further above, thedecryption runs via the DES coprocessor 55, which loads thecryptographic keys 21, 22 from the EEPROM 20. That loading step is proneto DPA but since the cryptographic keys 21, 22 are present only in theencrypted form, and hence also transmitted in that form, that attack hasa lower success rate. The cryptographic master key 45 is loaded to theDES coprocessor 55 from the ROM 40 and since the ROM 40 is lesspower-consuming than the EEPROM 20 or the RAM 30, a successful attackvia DPA is much harder and hence less probable.

In principle, the operation execution step can be executed without thatthe environment around the smartcard knows about the use of thecryptographic master key 45. From the perspective of the result of theoperation that is executed, there is no difference. The advantage liesin the fact that the described method and system increase systemsecurity but are totally transparent to the outside environment.

It is hence suggested that the sensitive data, i.e., the cryptographickeys 21, 22 stored in the EEPROM 20 are stored in an encrypted form, notas plain data prone to the attack stated above. The encryption step isperformed under use of another secret key, the cryptographic master key45, that may either be unique to the chip, or unique to a piece ofsoftware, called mask, containing the program logic accessing the EEPROM20. This is achieved transparently to an application possibly making useof the cryptographic keys 21, 22. The encrypting cryptographic key 45resides in non- or less leaking storage, such as the ROM 40.

With other words, the introduction of the cryptographic master key 45effects a reduction of the attackability of the smartcard 10, through areduction of information leakage, also referred to as power dissipation,or attack susceptibility. The cryptographic master key 45 is applied forencryption of the first unencrypted information 31, 32, e.g. comprisingclear-text keys, to form therefrom the first encrypted information 21,22. Therefore the writing process is amended, and the clear-text keysare encrypted under use of the cryptographic master key 45, that is aninternal chip- or mask-specific key, before they are stored into theEEPROM 20.

For decryption, the key-reading or -using method is intercepted, and theencrypted cryptographic keys 21, 22 are first decrypted in non- orless-leaking memory, such as the RAM 30, to gain the first unencryptedinformation 31, 32, before actual use thereof.

In an extended form, the processing method for personalization providesfor a scanning of the complete EEPROM 20 for the therein-storedcryptographic keys 21, 22, and encrypting them all according to the sameprocedure as outlined above. This means, a complete EEPROM imageconsisting of non-sensitive and sensitive information in plain form canbe converted to an EEPROM image consisting of non-sensitive informationin plain form and sensitive information in encrypted form. A technologyemployable to do this is a memory-walking technology seeking out objecttypes, i.e., cryptographic keys in the given scenario. In the case of aJavaCard, the known garbage collection mechanism can be utilized forthis, as it also traverses the complete EEPROM 20. The benefit of thisis that the smartcard 10 can be prepared and tested with all data, i.e.sensitive and non-sensitive, in plain form, and only at the end oftesting and production be changed over to the secure mode in which thecryptographic keys 21, 22 are encrypted for use.

The described embodiments are combinable in part as well as in whole.

It is obvious for the person skilled in the art that the presentinvention can be realized in hardware, software, or a combination ofthese. Also, it can be implemented in a centralized fashion on onesingle computer system, or in a distributed fashion where differentelements are spread across several interconnected computers or computersystems, whereby any kind of a computer system—or other apparatusadapted for carrying out the methods described herein—is suited. Atypical combination of hardware and software could be a general purposecomputer system with a computer program that, when being loaded andexecuted, controls the computer system such that it carries out themethods described herein. The present invention can also be embedded ina computer program product, which comprises all the features enablingthe implementation of the methods described herein, and which—whenloaded in a computer system—is able to carry out these methods.

Computer program means or computer program in the present context meanany expression, in any language, code or notation, of a set ofinstructions intended to cause a system having an information processingcapability to perform a particular function either directly or aftereither or both of the following a) conversion to another language, codeor notation; b) reproduction in a different material form.

Any disclosed embodiment may be combined with one or several of theother embodiments shown and/or described. This is also possible for oneor more features of the embodiments.

It is obvious that a person skilled in the art can modify the shownarrangements in many ways without departing from the gist of theinvention which is encompassed by the subsequent claims.

1. A method of processing and executing an operation on adata-processing system comprising a processor, a first persistentmemory, a second persistent memory, an operating system, and a firstcryptographic key stored in said second persistent memory, the methodcomprising: a writing step for writing first unencrypted informationinto said first persistent memory, wherein the first unencryptedinformation is selected to comprise a second cryptographic key usablefor decrypting second encrypted information for the operation; anencryption step for encrypting said first unencrypted information underuse of said first cryptographic key, creating therefrom first encryptedinformation in said first persistent memory; an access-limitation stepfor setting the data-processing system to a state in which writing intosaid first persistent memory is controlled by the operating system; adecryption step for decrypting said first encrypted information underuse of said first cryptographic key, thereby generating therefrom thefirst unencrypted information; and an execution step for executing theoperation by said processor, using the first unencrypted informationgenerated in the decryption step; and a scanning step for scanning thefirst persistent memory for cryptographic keys, the scanning stepcomprising walking memory to seek an object type representing acryptographic key; and wherein the first persistent memory has a firstlevel of power dissipation; wherein the second persistent memory has asecond level of power dissipation that is lower than said first level ofpower dissipation; and wherein the encryption step is configured toencrypt cryptographic keys recognized by the scanning step.